This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is going on if DNS packets from China get blocked?

StefanHeymans over 10 years ago

Hi folks,

I read this in our weekly UTM9 report:

Most blocked source IP address is 42.120.221.11 (China), port 53 (DNS), 161.684 packets blocked.

Destination IP is the internet interface on the Sophos.

So what does that mean? Why are they sending that much packets?

Kind regards,

Stefan

This thread was automatically locked due to age.

Parents

0 itsfruity over 10 years ago

I'm assuming ATP is blocking these packets?

https://www.virustotal.com/en/ip-address/42.120.221.11/information/

Check logs on your DNS server to see what website is being accessed at the time ATP is being triggered.
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanHeymans over 10 years ago in reply to itsfruity

Hi,

Thanks for your answer.

The packets are being blocked by the packet filter, not the ATP.

I can't find anything special on the DNS server. The virustotal page mentions a type of virus that hasn't been reported last week, that's why I didn't mention it. Also, this would be traffic with a source IP inside the LAN, if it was a virus trying to contact that Chinese server.

The only logs I find are the Packet Filter logs mentioning source IP 42.120.221.11 trying to contact our DNS server (port 53) via our internet interface. Every single packet was dropped, mentioning fwrule="60001" (Input Default Drop) as explained here: https://www.sophos.com/en-us/support/knowledgebase/115029.aspx

So why were these 161.684 packets sent to us from Friday 19:00 till Sunday 07:00, if we didn't ask for it?

Is this an attempt to DDOS? This started with a rate of 32 frames per second.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago in reply to StefanHeymans

Probably not a DDOS as all packets came from the one IP. Maybe a brute force attempt to poison your DNS cache - were all packets srcport="53" and dstport random?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 10 years ago in reply to StefanHeymans

Probably not a DDOS as all packets came from the one IP. Maybe a brute force attempt to poison your DNS cache - were all packets srcport="53" and dstport random?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 StefanHeymans over 10 years ago in reply to BAlfson

Nope, destination port was always 28106...

Time	Action	Rule	Interface IN	Interface OUT		Source MAC	Destination MAC	Source IP	Destination IP	Protocol	Length	TTL	Source Port	Destination Port

2016:04:29-19:30:44	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:30:44	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:30:44	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:30:44	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:32:13	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:35:42	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:40:44	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:47:26	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:50:05	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:50:59	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:30:44	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:30:44	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:30:44	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:30:44	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:32:13	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:35:42	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:40:44	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:47:26	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:50:05	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106
2016:04:29-19:50:59	drop	60001	eth4.231		124	00:1f:9f:xx:xx:xx	00:1a:8c:xx:xx:xx	42.120.221.11	192.168.254.2	17	0x20	113	53	28106